Customer Identity and Access Management (CIAM) can mean many different thing to many different people. To help you determine where Hosted Login fits in the CIAM world, we’ve put together a list of some of the more common (as well as a few less common) features found in CIAM implementations, and have indicated whether these features are supported in the current release of Hosted Login.
Users are limited to modifications that can be made by changing the flow or by using CSS.
Restricts access to a website or mobile app based on a user's age: users below a specified age (or users who have not provided a birthdate) are denied access.
Change the Favicon
Organizations can change the default Akamai favicon that appears in browser tabs.
Change the Logo
Organizations can change the default Akamai logo that appears on the login and registration pages.
Organizations can use standard protocols (such as SAML 2) to create social login identity providers that do not appear in the Akamai Engage app.
Consent Compliance and Management
Marketing consent is included out-of-the-box and additional consents can be added by the Akamai Services team.
Claims effectively represent a single user attribute: a user’s first name is a claim, a user’s middle name is a second claim, and a user’s last name is a third claim. Claims can be created to represent any attribute in the user profile.
Custom Domain Name
Organizations can work with their Akamai representatives to “CNAME” their Hosted Login URLs.
Custom Email Delivery Service
Transactional emails (for example, the password reset and the verify email address email) can only be sent by Akamai.
Organizations can create and request custom scopes (that is, custom collections of OIDC claims).
Users can create custom screens to be displayed during the login/registration process.
Customize Authorization Rules
Add new authorization rules: policies that must be met before a user can log on to a website or app.
Customize Token Lifetimes
Access token and refresh token lifetimes can be modified by using token policies (by default, access tokens expire after 1 hour and refresh tokens expire after 90 days). However, modifying token policies must currently be done by Akamai.
A user can delete his or her account and all the data associated with that account.
Display and Save Plural Attributes
Plural attributes (attributes that can contain any number of objects) can be displayed in the login, registration, and user profile screens.
Websites/apps can prevent a user from fully logging on (i.e., from receiving an access token) until the user has verified their email address.
Email-only Registration (Light/Subscription Registration)
Registration method in which a user supplies an email address but no password.
A user who can’t log on because they have forgotten their password can request an email link that will enable them to create a new password.
Yes, but ….
Link Social Accounts
Enables a user to add a social login identity provider to their current account.
Translations can be added to a site by modifying the flow. Hosted Login supports all Unicode characters.
Manage Hosted Login by Using APIs
All Hosted Login components can be managed by using APIs, including OIDC clients, login policies, and token policies.
Manage Hosted Login by Using the Console
“Traditional” Identity Cloud components (such as applications, API clients, entity types, and flows) can be managed by using Console. However, OpenID Connect components – such as OIDC clients, login policies, and token policies – cannot be managed by using Console. Instead, these components must, for now, be managed by Akamai Professional Services.
Yes, but ....
Merge Social Accounts
If a user with an existing account logs on by using a social login identity provider that uses the same email address as the existing account, the existing account and the new IDP account can be joined together.
Mobile Device Access
Users can log on to or register with a website or app by using a mobile device. Note that Hosted Login supports the use of app browser tabs but does not support webviews.
Mobile Number as Identifier
Users can log on to a website or app by using their mobile device number rather than their email address.
Modifications to the CSS
Organizations can override the CSS stylesheet that dictates the look and feel of login, registration, and user profile screens. You can apply a different CSS stylesheet to each Hosted Login API client.
Modify the Hosted Login Flow
Hosted Login flows can be modified by using the Configuration APIs.
Security system that requires more than one method of authentication in order to verify the user’s identity.
Automatically generated character string that authenticates a user for a single transaction or session.
Organizations Can Host Their Own Web Pages
Currently all login, registration, and user profile pages are hosted by Akamai. However, organizations are required to host their custom CSS stylesheets, icons, or favicons.
Users can change their own passwords, without requiring helpdesk support.
Post-Logon Validation and Processing
Validation and other processing which takes place after the logon/registration screens have been dismissed.
Identity providers that require initial configuration by Akamai support personnel before those IDPs are available in the Engage app.
Strategy in which you gradually build up a user profile over time, and in context. With progressive profiling, the personal data for a user is not collected all at once (e.g., at registration. Instead, data is collected over time, and only when needed to support the user experience.
Advanced form of CAPTCHA that makes an initial assessment as to whether the entity attempt to register or to logon is a bot.
Request a Copy of Stored Data
Users can request to see all of their personal data being stored by a website or app.
Websites/apps can prevent a user from fully logging on (i.e., from receiving an access token) until the user has provided a non-null value for attribute in a specified set of required attributes.
Single sign-on is possible for sites that share the same OpenID Provider. Single sign-on is also available for all the apps on the same mobile device.
Yes, but ....
Users can log register with a website or app by first logging on to an existing account with a social login identity provider such as Facebook or Twitter.
Users can log on to a website or app by first logging on to an existing account with a social login identity provider such as Facebook or Twitter.
Standard Login and Registration Events
Standard login and registration events (including traditional/social logins and registrations as well as user profile updates) are still recorded, but there is currently no way for you to bind to those events.
Yes, but .…
After initial logon, and based on risk level, a user can be asked to provide an additional form of authentication before they can be fully logged on to a website or app.
Social login registration method in which the socialRegistration screen is not displayed after a user logs in for the first time using a social provider.
Third-Party Analytic Tools
Customer Insights is the primary analytic tool be used with Hosted Login.
Users can register with a website or app by creating an account that uses an email address and password for logging on.ord.
Users can log on to a website or app by supplying an email address and password.
After signing on with an email address and password, users are required to supply another form of authentication (such as a code sent to their mobile device) before they can be fully logged on to a website or app.
User Profile Management
Users have the ability to view, and to modify, their user profile.
Akamai webhooks can be used to record activities such as user logins, user registrations, and user profile changes.